b'                                       SOCIAL SECURITY\nMEMORANDUM\n\nDate:      January 14, 2002                                                     Refer To:\n\nTo:        Jo Anne B. Barnhart\n           Commissioner\n\nFrom:      Inspector General\n\nSubject:   Performance Measure Review: Reliability of the Data Used to Measure Anti-Fraud\n           Performance (A-02-01-11013)\n\n\n           Following consultations with congressional committees, the Office of the Inspector\n           General (OIG) agreed to review the Social Security Administration\xe2\x80\x99s performance\n           indicators over a continuous 3-year cycle. We recently completed our first 3-year\n           cycle. In conducting this work, we used the services of an outside contractor,\n           PricewaterhouseCoopers (PwC), LLP, to assist us in our efforts.\n\n           For this report, we used PwC to conduct the review of four of the Agency\xe2\x80\x99s performance\n           indicators related to anti-fraud activities. The objective of the review was to assess the\n           reliability of the data used to measure the Agency\xe2\x80\x99s anti-fraud efforts. These anti-fraud\n           indicators measure the results of the work conducted by the Office of Investigations\n           within OIG. To ensure an independent review of these indicators, we relied on our\n           contractor to assess the reliability of the data behind these measures.\n\n           The attached final report presents the results of the contractor\xe2\x80\x99s work and its\n           recommendations for improvement. We are generally in agreement with all of the\n           contractor\xe2\x80\x99s recommendations focusing on OIG operations. In fact, we are taking steps\n           to ensure that OIG produces an accurate assessment of its anti-fraud activities. We\n           plan to work closely with the Agency on those recommendations where coordination\n           would be appropriate. If you wish to discuss the final report, please call me or have\n           your staff contact Steven L. Schaeffer, Assistant Inspector General for Audit, at\n           (410) 965-9700.\n\n\n\n\n                                                           James G. Huse, Jr.\n\n           Attachment\n\x0c            OFFICE OF\n     THE INSPECTOR GENERAL\n\n SOCIAL SECURITY ADMINISTRATION\n\n\n\n   PERFORMANCE MEASURE REVIEW:\n   RELIABILITY OF THE DATA USED TO\n        MEASURE ANTI-FRAUD\n            PERFORMANCE\n\n     January 2002       A-02-01-11013\n\n\n\nEVALUATION REPORT\n\n\n\n\n                    .\n\x0c                                      Mission\n\nWe improve SSA programs and operations and protect them against fraud, waste,\nand abuse by conducting independent and objective audits, evaluations, and\ninvestigations. We provide timely, useful, and reliable information and advice to\nAdministration  officials, the Congress, and the public.\n\n                                     Authority\n\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n  0   Conduct and supervise independent and objective audits and\n      investigations relating to agency programs and operations.\n  o   Promote economy, effectiveness, and efficiency within the agency.\n  0   Prevent and detect fraud, waste, and abuse in agency programs and\n      operations.\n  0   Review and make recommendations        regarding existing and proposed\n      legislation and regulations relating to agency programs and operations.\n  0   Keep the agency head and the Congress fully and currently informed of\n      problems in agency programs and operations.\n\n  To ensure objectivity,   the IG Act empowers   the IG with:\n\n  o   Independence to determine what reviews to perform.\n  0   Access to all information necessary for the reviews.\n  0   Authority to publish findings and recommendations    based on the reviews.\n\n                                       Vision\n\nBy conducting independent and objective audits, investigations,  and evaluations,\nwe are agents of positive change striving for continuous improvement in the\nSocial Security Administration\'s programs, operations, and management and in\nour own office.\n\x0cEvaluation of Selected Performance\nMeasures of the Social Security\nAdministration:\nReliability of the Data Used to Measure\nAnti-Fraud Performance\n\nOffice of the Inspector General\nSocial Security Administration\n\x0cINTRODUCTION\n\nThis report is one of five separate stand-alone reports, corresponding to the following\nSocial Security Administration (SSA) process and performance measures (PM):\n\nq   Number of investigations conducted (i.e., closed) (PM #5)\n      Fiscal Year (FY) 2000 Goal: 7,600\n\nq   Old-Age, Survivors and Disability Insurance (OASDI) dollar amounts reported from\n    investigative activities (PM #6)\n        FY 2000 Goal: $40 million\n\nq   Supplemental Security Income (SSI) dollar amounts reported from investigative\n    activities (PM #7)\n        FY 2000 Goal: $80 million\n\nq   Number of criminal convictions (PM # 8)\n      FY 2000 Goal: 1,800\n\nThis report reflects our understanding and evaluation of the process related to PMs #5\nthrough #8. To achieve its strategic goal \xe2\x80\x9cTo make SSA program management the best-\nin-business, with zero tolerance for fraud and abuse,\xe2\x80\x9d SSA has developed several\nstrategic objectives. One of these objectives is \xe2\x80\x9cTo aggressively deter, identify, and\nresolve fraud.\xe2\x80\x9d SSA\xe2\x80\x99s FY 2001 Annual Performance Plan (APP) contains four\nperformance indicators developed to meet this objective as follows:\n\nq   Number of investigations conducted (i.e., closed) - Prior to FY 2000, this goal was\n    based on cases opened. The FY 2000 goal was revised upward from 7,200 to 7,600\n    investigations conducted (i.e., closed) in SSA\xe2\x80\x99s FY 2000 Revised Final Performance\n    Plan; this reflects the benefits of increased resources the Office of the Inspector\n    General (OIG) devoted to investigative activities.\n\nq   OASDI dollar amounts reported from investigative activities - The FY 2000 goal was\n    revised upward from $9 million to $40 million in SSA\xe2\x80\x99s FY 2000 Revised Final\n    Performance Plan; this reflects an anticipated return on investment from investigative\n    activities as described above.\n\nq   SSI dollar amounts reported from investigative activities - The FY 2000 goal was\n    revised upward from $55 million to $80 million in SSA\xe2\x80\x99s FY 2000 Revised Final\n    Performance Plan to reflect an anticipated return on investment from investigative\n    activities as described above.\n\nq   Number of criminal convictions - The FY 2000 goal was 1,800 convictions.\n\nWe performed our testing from September 21, 2000 through February 15, 2001. Our\nengagement was limited to testing at SSA\xe2\x80\x99s headquarters in Woodlawn, Maryland and\nthe OIG office in Philadelphia, Pennsylvania. The procedures that we performed were in\naccordance with the American Institute of Certified Public Accountants\xe2\x80\x99 Statement on\nStandards for Consulting Services, and are consistent with appropriate standards for\nperformance audit engagements in Government Auditing Standards (Yellow Book, 1994\n\n\n\n                                              1\n\x0cversion). However, we were not engaged to and did not conduct an audit, the objective\nof which would be the expression of an opinion on the reliability or accuracy of the\nreported results of the performance measures evaluated. Accordingly, we do not\nexpress such an opinion.\n\nBACKGROUND\n\nSSA has been engaged in an aggressive program to deter, detect, investigate and\nprosecute fraud. To carry out this effort, SSA and the OIG have cooperated in\ndeveloping a comprehensive anti-fraud plan. The SSA OIG, Office of Investigations (OI)\nis responsible for investigating allegations of fraud, waste and abuse. The four\nindicators evaluated focus on the OIG\xe2\x80\x99s output efforts to achieve improvements in\ndeterring, identifying and resolving fraud.\n\nThe first performance measure, \xe2\x80\x9cNumber of investigations conducted,\xe2\x80\x9d represents the\nnumber of investigations \xe2\x80\x9cconducted\xe2\x80\x9d by OI resulting from allegations that have sufficient\ninformation or potential risk to warrant further review or action by a criminal investigator.\nAllegations may be received from Congress, SSA employees, or from the public by mail,\ne-mail, fax, Internet, or telephone (i.e., 800 Hotline). Investigations are counted as\n\xe2\x80\x9cconducted\xe2\x80\x9d when all OI actions have been completed or the investigator has determined\nthat further action is not warranted due to lack of investigative leads. The objective is to\nraise the number of investigations conducted (i.e., closed), which relates to the strategic\ngoal to aggressively deter, identify and resolve fraud. This performance measure is\npresented as a workload count, and includes every closed case, including cases for\nwhich it was determined that no fraud was involved.\n\nThe second and third performance measures, \xe2\x80\x9cOASDI dollar amounts reported from\ninvestigate activities\xe2\x80\x9d and \xe2\x80\x9cSSI dollar amounts reported from investigative activities,\xe2\x80\x9d\nrepresent amounts reported by the OI from fines/penalties, assessments, savings,\nrecoveries and restitution/judgments related to investigative activities. The components\nof investigative activities, or \xe2\x80\x9cmonetary achievement\xe2\x80\x9d are defined as follows:\n\nq   Fines/penalties are court-ordered, and include any special assessment fees,\n    imposed upon conviction in a criminal case or judgment in a civil case, which require\n    a specified sum of money be paid to the court.\nq   Program savings is a calculation of the avoidance of actual dollar loss by actions that\n    result in the termination of improper payments of program funds, which only can\n    relate to SSA cases.\nq   Restitution can only be recorded in a criminal case, in which the court-ordered\n    repayment that resulted from pretrial diversions and convictions. The amount of\n    restitution may be categorized as SSA or non-SSA program amounts. In addition,\n    the amount of the restitution claimed by OI should match the amount of restitution\n    documented on the Judgment and Commitment Order (J&C) or Pretrial Diversion\n    agreement.\nq   A judgment is a judicially ordered payment resulting from a civil action, either through\n    Department of Justice civil proceedings or the Civil Monetary Penalty Program,\n    which can be categorized as SSA or non-SSA program related. The distinguishing\n    characteristic of a judgment is its nexus to a civil action, as opposed to a criminal\n    restitution.\n\n\n\n\n                                             2\n\x0cq   A scheduled recovery is a total sum of non-court ordered repayment of funds to\n    which an individual was not entitled, or the total of funds to be returned because the\n    individual was not entitled, which can be categorized as SSA or non-SSA program\n    related. In those SSA program cases in which the court does not order restitution\n    because of a defendant\xe2\x80\x99s inability to pay, OI will provide a copy of the J&C to SSA,\n    accompanied by a memorandum requesting SSA to recover the program losses.\n    SSA\xe2\x80\x99s initiation of withholding future payments will constitute a scheduled recovery.\n\nThe objective is to report the dollar values of the OI efforts/activities to identify and\nresolve fraud, which is directly related to the strategic goal \xe2\x80\x9cTo aggressively deter,\nidentify and resolve fraud.\xe2\x80\x9d\n\nThe last performance measure, \xe2\x80\x9cNumber of Criminal Convictions,\xe2\x80\x9d represents the\nnumber of criminal convictions as a result of OI activities. This performance measure is\npresented as a workload count of all cases concluding in a criminal conviction. In\naddition to purposes served by formally charging a person with the commission of a\ncrime, the criminal prosecution process has an impact, which may deter others from\ncommitting violations, and therefore is directly related to the strategic goal \xe2\x80\x9cTo\naggressively deter, identify and resolve fraud.\xe2\x80\x9d\n\nAllegation and Case Investigative System (ACIS)\n\nInformation concerning potential wrongdoing involving SSA programs, employees, or\noperations which are received by an SSA OIG component are accounted for in ACIS.\nThe system encompasses the initial receipt of an allegation, all steps taken throughout\nthe investigative process, and the final outcome of all investigations. The system\nresides in a database (ADABAS) application, at the Center for Information Technology\n(CIT) of the National Institutes of Health (NIH).\n\nThe ACIS process begins with the receipt of an allegation. The Allegation Management\nDivision (AMD) staff records these allegations in the allegation management module of\nACIS. They are then electronically forwarded to either an OI field division (FD), a SSA\nfield component, another agency, or are closed. Allegations may be received from\nCongress or from the public via mail, e-mail, fax, Internet, or telephone (i.e., 800\nHotline). FDs may also receive allegations directly, and are also required to enter the\nallegation information into ACIS. If an investigation is warranted, all information and\nsupporting documentation will be forwarded to the appropriate individuals within the FD.\n\nWhen an investigation is opened, ACIS generates an OI-1, ACIS Case Opening Report.\nTo complete and document an investigation, the Special Agent (SA) is required to\ncomplete a series of forms. Once the case is taken to court, if the court orders a\nrestitution or judgment, the agent completes the OI-68, Report of Court Ordered\nRestitution/Judgment. The OI-671, Monetary Achievement Worksheet, may also\naccompany an OI-68. The OI-67 is the form used to document any civil monies\nrecovered during the investigation, as well as to assist in calculating the monetary\nachievement documented on the OI-68. Once all aspects of the investigation are\ncompleted the SA completes an OI-9, ACIS Criminal and Administrative Disposition\nForm. This form includes the judicial and criminal disposition data, as well as criminal\n1\n The OI-67 has been discontinued by OI since the information reported on the form is also reported on the\nOI-9.\n\n\n\n                                                    3\n\x0cand administrative monetary achievements, and is used by the administrative personnel,\nSAs, Assistant Special Agents-in-Charge (ASAC) or Special Agents-in-Charge (SAC) to\ninput the monetary achievements into ACIS.\n\nThe OI-68 is mailed to OI Manpower and Administration Division (MAD) in Woodlawn,\nMaryland. It is then reviewed against the data, which is entered into ACIS for accuracy\nand distributed to SSA\xe2\x80\x99s Debt Management Section for notification of the court-ordered\nrestitution. In addition, the OI-68 and the payments are sent to the Mid-Atlantic Program\nService Center (MATPSC) to be processed. The MATPSC cross-references the checks\nto the OI-68 and posts them to the correct Social Security numbers (SSN).\n\nRESULTS OF EVALUATION\n\nDuring the period of September 21, 2000 to February 15, 2001, we evaluated the current\nprocesses, systems and controls, which support the FY 2000 SSA performance\nmeasurement process. In addition, we determined the accuracy of the underlying\nperformance measure data. Our evaluation of the information provided by SSA\nmanagement as of February 15, 2001, allowed us to determine that the reported FY\n2000 results of the four performance measures tested (as itemized below) were\nreasonably stated based on the methodology used by SSA.\n\n\n\n                      Performance Measure                          Reported Result\n\n   1. Number of investigations conducted (i.e., closed)                        8,051\n\n   2. OASDI dollar amounts reported from investigative                    $46 million\n      activities\n\n   3. SSI dollar amounts reported from investigative                    $128 million\n      activities\n\n   4. Number of criminal convictions                                           2,604\n\n\n\nHowever, we noted certain deficiencies in SSA\xe2\x80\x99s methodology used to analyze the\nperformance measures and certain limitations with ACIS. Although we do not consider\nany of the deficiencies noted during our evaluation to be significant, consideration should\nbe given to the following recommendations, as we believe there are opportunities for\nimprovement, thereby increasing the value of the performance measures as\nmanagement tools.\n\n1. ACIS has some data integrity deficiencies.\n2. The savings calculation is not adequately supported.\n3. SSA OIG lacks sufficient documentation for several key control areas related to\n   ACIS. These areas are change control policies and procedures, user access\n   recertification procedures and systems development documentation.\n4. SSA OIG lacks appropriate supervisory review in the change control process.\n\n\n\n                                            4\n\x0c5. OASDI and SSI dollar amounts from investigations may be over or understated.\n\nThese items were noted as a result of our testing the underlying performance measure\ndata, as well as the Electronic Data Processing (EDP) and manual controls of the\nsystems generating the performance measure data, and are discussed in detail below.\n\n1. ACIS has some data integrity deficiencies.\n\nTo ensure that the amounts reported in the SSA Government Performance and Results\nAct of 1993 (GPRA) section of the Performance and Accountability Report were\nreasonably accurate and reliable, we obtained a random sample of 45 OASDI, 45 SSI\nand 20 criminal conviction cases from the ACIS system and requested supporting\ndocumentation for each of the cases. In addition, we judgmentally selected 10 cases\nfrom the closed-case cabinet at the Philadelphia sub-office, traced them to ACIS and\nensured the cases were properly documented.\n\nThe results of our evaluation of the cases are as follows:\n\nq   Overstatement of OASDI Monies from Investigative Activities\n\nWe noted that 5 of the 45 OASDI cases evaluated had double-counting errors totaling\n$235,911 for OASDI amounts reported from investigative activities. This resulted from\ndollar amounts in both the scheduled recovery and restitution fields in ACIS. Per the\nSpecial Agent Handbook (SAH), these two fields are mutually exclusive, and therefore a\ncase should not have the same dollars entered in both fields. These two fields are then\ncombined with savings, judgments, settlements, fines, assessments, and penalties to\narrive at the OASDI monies from investigative activities.\n\nq   Policy Errors\n\nIn our evaluation of the 120 ACIS cases selected, we found 2 cases in which the\nprocedures used to calculate savings were not consistent with those procedures outlined\nin the SAH. The first was a fugitive felon case, for which the amount of savings was\ncalculated over 3 years. Per the SAH, Chapter 3, Section 3-75-C8 \xe2\x80\x9cProgram savings for\nfugitive felon cases will be calculated on a 2-year projection.\xe2\x80\x9d In the second case OI\nfound an individual embezzling benefit checks from an entitled beneficiary. A savings\namount was calculated for this case, even though in a similar case, savings were not\ncalculated.\n\nq   Data Anomalies\n\nOur evaluation of the cases also noted that 36 out of the 120 ACIS cases selected\ncontained data anomalies. The data anomalies represent instances where ACIS data\ndid not match the data reported in the supporting documentation (OI-68, OI-9, OI-4, or\nOI-1). For example, in several cases the fraud loss entered into ACIS was higher than\nthe fraud loss reported in the supporting documentation. In some cases, the recovery or\nassessment included in the supporting documentation was not reported in ACIS. These\nerrors could have been caused by either 1) a data entry error made by administrative\npersonnel, SACs, ASACs or SAs, or 2) by documentation errors within the case file,\nmade by SAs.\n\n\n\n                                             5\n\x0cOI has in place a supervisory review of case files at the field division level. However, the\nsupervisory review, Form OI-20, includes a review of the status of the case, not a review\nof the forms within the case file to ensure that the forms are completed appropriately.\nThe SAH, Chapter 3, Section 3-60 B, states the following: \xe2\x80\x9cWhile the review of\ndocuments and evidence in the case file is important, the case review process should\nnot be viewed as merely a review of documents. Rather it is an evaluation of the\ninvestigative progress and potential of the SA\xe2\x80\x99s cases.\xe2\x80\x9d In addition, the SAH does not\ninclude procedures to ensure that the data entered in ACIS by the OI field divisions is\ncorrect.\n\nAlthough the OI MAD has a Quality Review process, this process is limited to a\ncomparison of Form OI-68 \xe2\x80\x9cReport of Court-Ordered Restitution/Judgment\xe2\x80\x9d to the\nrestitution report produced at MAD, and the restitution amounts reported in ACIS. In\naddition, since not all cases require an OI-68, not all cases are reviewed. The lack of\nsupervisory review of the forms and limited review by OI Headquarters has led to errors\ngoing undetected, thus diminishing the accuracy of the number reported by OI as part of\nthe GPRA section of SSA\xe2\x80\x99s Performance and Accountability Report.\n\nACIS is an antiquated system that lacks sufficient capabilities to continue to meet OIG\xe2\x80\x99s\nneeds. The OIG stated that the system has been \xe2\x80\x9cfrozen\xe2\x80\x9d and that it is in the process of\nevaluating commercial off the shelf software packages as an alternative system. These\ndata integrity opportunities for improvement should be considered when selecting and\nimplementing the new system.\n\n2. Savings calculation for disability cases is not adequately supported.\n\nA program saving is an integral part of the dollars reported from the investigative\nactivities calculation. For disability cases, the cooperative disability investigation (CDI)\nteams claim a set amount of savings of $66,500 per case, for applicants who are denied\neligibility due to the findings of the investigation. SSA arrived at this figure in 1997 by\napplying the amount of an average lifetime benefit figure to an average Disability\nDetermination Services claim that is denied. This amount has not been adjusted since\n1997 to reflect the yearly increase of SSI benefit payments. OI, in conjunction with\nSSA\xe2\x80\x99s Office of the Actuary, is currently developing a method to calculate the savings\nfigure for each case based on a claimant\xe2\x80\x99s age, gender, life expectancy and amount of\nbenefit received. The new method will be applied to all CDI cases beginning in FY 2002.\n\n3. SSA OIG lacks sufficient documentation for some control areas related to\n   ACIS.\n\nThere is a lack of documentation for some ACIS processes in SSA OIG operations, as\nfollows:\n\nq   ACIS Change Control: Process in which any modification requests to ACIS, and\n    subsequent modifications of ACIS are formally requested, documented, tested, and\n    implemented.\n\nq   ACIS User Access Recertification: Review of users\xe2\x80\x99 access rights to ACIS, to\n    ensure that their access matches their job responsibilities.\n\n\n\n\n                                             6\n\x0cq   ACIS System Design and Development: System design and development\n    documentation includes addressing the entire life cycle of a system, (i.e., initiation,\n    definition, system design, programming and training, evaluation and acceptance, and\n    installation and operations). As such it would include, for example, the functional\n    requirements, data requirements, system/sub-system requirements, and both user\n    and technical manuals, etc.\n\nWithout formally documented processes, management cannot be assured that SSA OIG\npersonnel understand all of the requirements for successful change control, user access\nrecertifications, and systems design and development processes.\n\nWhen processes are not documented, such as formal processes for change control,\nuser access recertification, and ACIS system design and development, there is no\naccountability that the procedures were followed. When there is no accountability for the\nprocedures associated with these processes, it becomes difficult to resolve any\nproblems or issues. This lack of assurance may negatively impact SSA OI operations.\n\n4. SSA OIG lacks appropriate supervisory review in the change control process.\n\nBoth of the OIG personnel that are responsible for programming ACIS changes have the\nability to promote program changes to production. This increases the risk that\ninappropriate or incorrect changes could be placed into production, thereby\ncompromising the functionality of ACIS.\n\nOffice of Management and Budget (OMB) Circular A-130, Appendix III, Security of\nFederal Automated Information Resources, states that agencies are required to\nestablish controls to assure adequate security for all information processed, transmitted,\nor stored in Federal automated information systems. This appendix stresses the\nimportance of management controls affecting individual users of information technology.\nThe appendix states: "Technical and operational controls support management controls.\nTo be effective, all must interrelate."\n\nIn addition, Federal Information Processing Standards (FIPS) Publication 73 entitled\nGuidelines for Security of Computer Applications, Section 6.3.4 highlights the increased\nrisk associated with programmers having access to program code once an application is\noperational. This increases the possibility for unauthorized changes to existing code that\ncould benefit the programmer without being detected.\n\n5. OASDI and SSI dollar amounts from investigations may be over or understated\n\nThe program category field within ACIS is used to identify which program (OASDI or\nSSI) the fraud was committed against. The possibility exists that an investigation may\ninvolve fraud against both OASDI and SSI concurrently. While agents have the ability to\nenter in more than one program category per case into ACIS, the associated Monetary\nStatistics report only pulls the information from the first program category in each case.\nTherefore, in the case of concurrent fraud, agents are instructed to enter the dollar\namounts into the program category where the greater amount of fraud occurred. This\nresults in an overstatement of dollar amounts in the program category that the case was\nentered into, and an understatement of dollar amounts in the other program category.\n\n\n\n\n                                             7\n\x0cCONCLUSIONS AND RECOMMENDATIONS\n\nThroughout our evaluation of the four performance measures, we noted the strong\ncommitment of SSA\'s OIG staff to correctly implement GPRA. Our evaluation found that\nthe FY 2000 results of the four performance measures tested were reasonably stated.\nHowever, our evaluation noted that: 1) ACIS has some data integrity deficiencies; 2) the\nsavings calculation is not adequately supported; 3) SSA OIG lacks sufficient\ndocumentation for several key ACIS control areas; 4) SSA OIG lacks appropriate\nsupervisory review in the change control process; and 5) OASDI and SSI dollar amounts\nfrom investigations may be over or understated. We recommend that the OIG take the\nfollowing corrective actions:\n\nACIS has a number of data integrity deficiencies.\n\nTo ensure that the OI offices across the country are following the procedures outlined in\nthe SAH, that data entry and documentation errors do not go undetected, and to correct\ninternal control issues found during our case testing we recommend that OI:\n\n1) Expand its supervisory review of the cases, by including a comprehensive review of\n   the contents of all forms included in the case, to ensure the accuracy and\n   appropriateness of the information.\n2) Perform a FD-level review of the information entered into ACIS either by the SAC, in\n   cases where an SA or administrative staff has input the information into ACIS, or by\n   a supervisor in cases were the SAC has input the information into ACIS.\n3) Expand the Quality Assurance review performed at MAD to include all cases. The\n   Quality Assurance process should include a review of the OI-9 \xe2\x80\x9cACIS Criminal and\n   Administrative Disposition Form\xe2\x80\x9d for all cases and the supporting documentation.\n   The review should be documented to enable OI to identify systematic or widespread\n   problems throughout the FDs before they cause substantial errors in the information\n   reported\n\nThese procedures will prevent erroneous data being entered into ACIS in the future, and\ntherefore prevent inaccurate GPRA reporting.\n\nThe savings calculation is not adequately supported.\n\n4) We recommend that OI continue its work with SSA and the Office of the Actuary to\n   develop and update savings calculation for CDI cases.\n\n\n\n\n                                            8\n\x0cSSA OIG lacks sufficient documentation for several key ACIS control areas.\n\nTo ensure that the SSA OIG has proper controls in place for change control, user access\nrecertification, and system design and development, we recommend that the Office of\nExecutive Operations (OEO):\n\n5) Formalize and then document the change control process. This includes the\n   creation of a standardized change control form, incorporating a tracking number, the\n   reason for the request, testing, sign-offs and promotion of the program into\n   production.\n6) Create and document the user access recertification process. This should be an\n   annual process, which will ensure all users have access commensurate with their\n   position through verification by user management.\n7) Document all system design and development information. This documentation\n   should provide both the systems management and OEO with the rationale for the\n   design, as well as its functionality and data structure. Documentation is especially\n   useful during the implementation of new systems.\n\nSSA OIG lacks of appropriate supervisory review in the change control process.\n\n8) SSA OIG should ensure proper authorization exists prior to ACIS program changes\n   being promoted to production.\n9) In addition, the SSA OIG should use a computer operator, or other non-programmer\n   for the actual movement of programs into production.\n\nOASDI and SSI dollar amounts from investigations may be over or understated.\n\n10) To report accurate amounts for the OASDI and SSI dollars associated with\n    investigative activities, we recommend that the OIG reconsider the use of the second\n    program category and the design of the Monetary Statistics report. Agents should be\n    instructed to break the dollar amounts down by program category, and record\n    multiple entries for the same subject. This should not affect the number of\n    investigations or cases and should produce more accurate OASDI and SSI dollar\n    amounts.\n\nAPPROPRIATENESS OF THE PERFORMANCE MEASURES\n\nAs part of this engagement, we evaluated the appropriateness of each of the\nperformance measures with respect to GPRA compliance and SSA\xe2\x80\x99s APP. We\ndetermined whether the specific indicators and goals corresponded to the strategic goals\nidentified in SSA\xe2\x80\x99s APP, determined whether each of these indicators accurately\nmeasure performance, and determined their compliance with GPRA requirements.\n\nThe relationships between PMs #5 through 8 and the applicable SSA Strategic Goal is\ndepicted in the following figure:\n\n\n\n\n                                           9\n\x0c                                                               SSA Mission\n                                      To promote the economic security of the nation\'s people\n                                     through compassionate and vigilant leadership in shaping\n                                         and managing America\'s social security programs.\n\n\n\n\n                                                           Strategic "Goal #3"\n\n                                               To make SSA program management the\n                                               best-in-business, with zero tolerance for\n                                                           fraud and abuse\n\n\n\n\n                                                           Strategic Objective\n                                                To aggressively deter, identify and resolve\n                                                                  fraud\n\n\n\n\n    Performance Indicator & Goals   Performance Indicator & Goals        Performance Indicator & Goals     Performance Indicator & Goals\n\n       Number of investigations           OASDI dollar amounts            SSI Dollar amounts reported           Number of Criminal\n        conducted (i.e., closed)        reported from investigative       from investigative activities.           Convictions\n         FY 2000 Goal 7,600                      activities.              FY 2000 Goal $80 Million              FY 2000 Goal 1,800\n                                        FY 2000 Goal $40 Million\n\n\n\n\nThe SSA mission is supported by five strategic goals, including Goal 3, \xe2\x80\x9cTo make SSA\nprogram management the best-in-business, with zero tolerance for fraud and abuse.\xe2\x80\x9d\nGoal 3, in turn, is supported by several strategic objectives, including the relevant\nobjective \xe2\x80\x9cto aggressively deter, identify, and resolve fraud.\xe2\x80\x9d Performance Measures #5\nthrough #8 address the OIG\xe2\x80\x99s OI work related to SSA programmatic fraud. Assuming\nthat the metrics are reliable, the diagram indicates that PMs #5 - #8 logically align with\nSSA\xe2\x80\x99s strategic planning process.\n\nBased on the taxonomy of performance measures included in Appendix F, PMs #5\nthrough #8 are measures of accomplishment because they report on a result achieved\nwith SSA resources. They are further categorized as output measures because they\nindicate the accomplishments or results that occur because of the SSA services\nprovided. As shown in Appendix F, output measures include the number of\ninvestigations conducted.\n\nWithin the framework of GPRA, Performance Measures #5 through #8 fall within the\nintent of an output measure because they provide, \xe2\x80\x9c\xe2\x80\xa6a description of the level of activity\nor effort that will be produced.\xe2\x80\x9d2 Just as with counts of workload, dollar amounts of\nworkload are also a \xe2\x80\x9clevel of activity required\xe2\x80\x9d or \xe2\x80\x9cworkload\xe2\x80\x9d measurement. In addition,\n\n2\n    OMB Circular A-11, Preparation and Submission of Budget Estimates (FY2000), Section 200.2, p. 478.\n\n\n\n                                                                11\n\x0cone output can be the workload driver for another output (e.g., the number of\ninvestigations conducted is a factor that drives the number of criminal convictions).\nTherefore, all four measures are considered output measures. The intent of these four\nperformance measurements is to address the \xe2\x80\x9czero tolerance for fraud\xe2\x80\x9d strategic goal.\nThey can all be useful to management and external stakeholders, as encouraged by\nOMB Circular A-11, which provides guidance on the creation of an agency\xe2\x80\x99s\nperformance measures. However, if corrective actions are not implemented to correct\nthe issues identified as part of this report, potential errors in the data may in the future\nproduce unreliable results.\n\nOTHER MATTERS\n\nAs part of this evaluation, we identified several points that the OIG should consider when\ndesigning the new AMS, as well as other less significant matters that are peripheral to\nthis engagement. The points are discussed below.\n\nThere is a need for Service Level Agreements.\n\nIn the current organizational structure of the SSA OIG, the personnel responsible for\nsupporting ACIS are part of the OIG\xe2\x80\x99s OEO. The personnel who use ACIS for their day\nto day job functions reside in the OI. During the course of our evaluation, we discovered\nthat there was not any formal agreement between the OEO and the OI, which details the\nexpectations and responsibilities of both offices with respect to ACIS and its support.\n\nControl Objectives for Information and related Technology (COBIT)3 developed as\ngenerally applicable and accepted standard for good Information Technology (IT)\nsecurity and control practices, states the following:\n\n        \xe2\x80\x9cUsers and the IT function should have a written agreement which describes the\n        service level in qualitative and quantitative terms. The agreement defines the\n        responsibilities of both parties. The IT function must offer the agreed quality and\n        quantity of service and the users must constrain the demands they place upon\n        the service within the agreed limits.\xe2\x80\x9d\n\nThe lack of such an agreement can lead to miscommunication and unfulfilled\nexpectations, both of which could hamper the ability of affected OIG staff to perform their\njob functions effectively and efficiently. An agreement between both sides, such as a\nService Level Agreement (SLA), could detail each office\xe2\x80\x99s expectations and associated\njob duties, and provide accountability for their performance.\n\nRecommendation\n\n11) To ensure continued effective communication between OEO and OI, we recommend\n    SSA OIG draft a SLA between these offices, detailing the responsibilities of both\n    offices, as well as each office\xe2\x80\x99s expectations. The cognizant personnel in both\n    offices should sign this agreement.\n\n\n3         rd\n COBIT, 3 edition, July 2000. Published by the Information Systems Audit and Control Association &\nFoundation. URL:http//:www.isaca.org.\n\n\n\n\n                                                  12\n\x0cThere is no correlation between dollars reported from investigations and dollars\ncollected by SSA.\n\nBoth OASDI and SSI dollars reported from investigative activities are recorded into\nACIS. These figures are collected by case number, and the SSN upon which the fraud\nwas committed. However, it does not reference the SSN of the individual who\ncommitted the fraud. ACIS does not provide for accounting of the dollars actually\ncollected and the tracking ceases with the closing of a case.\n\nThe accounting for the dollars, which are actually collected by SSA, is performed by\nSSA\xe2\x80\x99s Debt Management System (DMS). The DMS contains information on the SSN to\nwhich the payment is posted. This may not always be the SSN that the fraud was\ncommitted against, but may be the SSN of the individual making the payment. Because\nthe SSNs cannot always be cross referenced, neither the OIG nor DMS can categorize\ndollars collected as dollars associated with OIG cases.\n\nRecommendation\n\n12) We recommend SSA\xe2\x80\x99s DMS include an OIG case number with its SSN information, if\n    applicable, or that ACIS include the SSN of the individual committing the fraud. This\n    will then give both groups the ability to cross reference these payments, and\n    accumulate not only the dollars reported from investigative activities, but also the\n    dollars that were collected.\n\nThe title \xe2\x80\x9cCriminal Convictions\xe2\x80\x9d for PM #8 is misleading.\n\nThe category \xe2\x80\x9cCriminal Convictions\xe2\x80\x9d contains several types of case resolutions. In\naddition to criminal convictions, the category also includes work with immigration and\ndeportation cases, the satisfaction of a fugitive warrant, and civil judgments. While there\nis a footnote explaining that the category contains more than criminal convictions, it does\nnot specifically state what is included in the total.\n\nBased on our recommendation, OI has changed the name of this performance measure\nin the draft SSA\xe2\x80\x99s FY 2003 APP to \xe2\x80\x9cNumber of Judicial Actions.\xe2\x80\x9d In addition, SSA\xe2\x80\x99s FY\n2003 APP includes the following definition for Judicial Actions: A judicial action is any\nevent during the criminal justice process that causes an individual suspected of\ncommitting a crime to be arrested for the crime, or to appear before a judge to enter a\nplea of guilty, or to face trial before a judge or jury.\n\nThere is a lack of disaster recovery documentation.\n\nACIS, used by the SSA OIG to maintain its investigation information, resides at the NIH\nCIT. As such, the SSA OIG is considered to be a user bureau by NIH, and is\noccasionally asked by NIH to participate in its annual disaster recovery tests.\n\nThe ACIS systems administrator also performs the duties of a security coordinator at\nNIH. As such, NIH notifies him when a disaster occurs and is at that time given his\ninstructions. However, a formal copy of the NIH disaster recovery plan is not kept by the\nSSA OIG.\n\n\n\n\n                                            13\n\x0cRecommendation\n\n13) To ensure that the SSA OIG has an understanding of the NIH disaster recovery plan\n    and its associated responsibilities, we recommend that the SSA OIG request a copy\n    of the NIH disaster recovery plan, and that the plan be reviewed and updated for\n    specific OIG-related matters on an annual basis.\n\n\n\n\n                                         14\n\x0c                          APPENDICES\n\n\nAPPENDIX A \xe2\x80\x93 Scope and Methodology\n\nAPPENDIX B \xe2\x80\x93 Acronyms\n\nAPPENDIX C \xe2\x80\x93 Performance Measure Summary Sheets\n\nAPPENDIX D \xe2\x80\x93 Performance Measure Process Maps\n\nAPPENDIX E \xe2\x80\x93 Performance Measure Taxonomy\n\x0c                                                                          APPENDIX A\n\n                        SCOPE AND METHODOLOGY\n\n\nThe Social Security Administration\xe2\x80\x99s (SSA) Office of the Inspector General (OIG)\ncontracted PricewaterhouseCoopers, LLP (PwC) to evaluate 11 SSA performance\nindicators identified in its Fiscal Year (FY) 2001 Annual Performance Plan (APP). This\nreport reflects our understanding and evaluation of the process related to PMs #5\nthrough #8. We performed our testing from September 21, 2000 through February 15,\n2001. Since FY 2001 performance results were not yet available as of the date of our\nevaluation, we performed tests of the performance data and related internal controls\nsurrounding the maintenance and reporting of the results for FY 2000. Specifically, we\nperformed the following:\n\n1. Obtained an understanding and reviewed the current Allegation and Case\n   Investigative System (ACIS) data flows and processes;\n2. Identified and tested critical controls (both electronic data processing (EDP) and\n   manual) of ACIS;\n3. Tested the accuracy of the underlying FY 2000 data for each of the specified\n   performance measures;\n4. Recalculated each specific FY 2000 measure to ascertain its mathematical accuracy;\n\n5. Determined whether performance measures were meaningful and in compliance with\n   the Government Performance and Results Act of 1993 (GPRA);\n6. Evaluated the impact of any relevant findings from prior and current audits with\n   respect to SSA\'s ability to meet performance measure objectives; and\n7. Identified findings relative to the above procedures and provided recommendations\n   for improvement.\n\nOur engagement was limited to testing at SSA\xe2\x80\x99s headquarters in Woodlawn, Maryland\nand the OIG office in Philadelphia, Pennsylvania. The procedures that we performed\nwere in accordance with the American Institute of Certified Public Accountants\xe2\x80\x99\nStatement on Standards for Consulting Services, and are consistent with appropriate\nstandards for performance audit engagements in Government Auditing Standards\n(Yellow Book, 1994 version). However, we were not engaged to and did not conduct an\naudit, the objective of which would be the expression of an opinion on the reliability or\naccuracy of the reported results of the performance measures evaluated. Accordingly,\nwe do not express such an opinion.\n\n1. Obtained an understanding and reviewed the current ACIS data flows and\n   processes.\n\nWe obtained an understanding of the underlying processes and operating procedures\nsurrounding ACIS and the generation of performance measures through interviews and\nmeetings with the appropriate SSA OIG personnel and by reviewing the following\ndocumentation:\n\n\n\n\n                                           A-1\n\x0c                                                                          APPENDIX A\n\nq   Policies and procedures manual for procedures surrounding the processing,\n    accumulating, and reporting of the data for the four performance measures;\nq   PwC system walk-through descriptions;\nq   PwC system flowcharts;\nq   SSA OIG-provided system descriptions, including the ACIS User Manual and the\n    Special Agent Handbook;\nq   FY 2000 ACIS data and corresponding data definitions;\nq   The National Institutes of Health Statement on Auditing Standards (SAS) 70 Reports\n    for FY 1999 and FY 2000, describing the general controls surrounding the ACIS\n    application;\nq   Internal report on Investigation Related Recoveries; and\nq   Internal and external reports on the four performance measures (including OIG,\n    General Accounting Office, etc.)\n\n2. Identified and tested critical controls (both EDP and manual) of ACIS.\n\nBased on the understanding we obtained during the planning part of this engagement, a\nreview of related prior-year audit work at SSA, and our understanding of the Federal\nInformation Systems Controls Audit Manual (FISCAM) methodology, we developed and\nperformed tests of internal controls (both general and application) related to ACIS, for\nthe following areas:\n\nq   Access Control (including Separation of Duties);\nq   Data Input;\nq   Data Rejection;\nq   Data Processing (including backup and recovery); and\nq   Data Output.\n\n3. Tested the accuracy of the underlying FY 2000 data for each of the specified\n   performance measures.\n\nTo verify, validate, and test the accuracy of the FY 2000 data we performed the\nfollowing:\n\nq   Selected a random sample of 45 OASDI, 45 SSI, and 20 criminal conviction cases\n    from ACIS by performing the following:\n\n    a) Obtained a copy of the ACIS data as of September 30, 2000 from the OIG Office\n       of Executive Operations;\n    b) Created and executed audit control language (ACL) programs to extract random\n       samples for Old-Age, Survivors and Disability Insurance, Supplemental Security\n       Income and Conviction Cases; and\n    c) Created an ACL program to display the monetary figures for the cases selected.\n\n    We requested copies of the OI-1 \xe2\x80\x9cCase Opening Report,\xe2\x80\x9d OI-9 \xe2\x80\x9cACIS Criminal &\n    Administrative Disposition Form\xe2\x80\x9d and the OI-68 \xe2\x80\x9cCourt-Ordered Restitution/Judgment\n    Form\xe2\x80\x9d and performed the following:\n\n\n\n                                          A-2\n\x0c                                                                          APPENDIX A\n\n\n    a) Verified that a completed OI-1 was properly signed and completed;\n    b) Verified that the OI-68 was completed and was supported by documentation in\n       the file;\n    c) Verified that a completed OI-9 was properly signed by the Field Division SAC;\n    d) Traced the monetary achievement documentation on the OI-9 and OI-68 to the\n       amount of monetary achievement in ACIS to ensure the monetary amount\n       reported in ACIS was in fact correct; and\n    e) Ensured that the OI-4 agreed with information on OI-9, OI-68, and ACIS. OI-4\n       obtained from sub-offices that choose to include them in the documentation sent.\n\n\nq   Judgmentally selected a sample of 10 case files from the closed cases at the\n    Philadelphia field division (FD), and with the assistance of FD personnel we traced\n    and agreed the OI-9 to the information in ACIS. In addition, we ensured that the\n    information included on the OI-9 was valid by performing the following:\n\n    Ensured the following documents were included in the file:\n\n    a) Allegation report (i.e., SSA-8551, Fraud Referral Form).\n    b) OI-1 Case Opening Report, properly signed and completed by the FD Special\n       Agent-in-Charge (SAC).\n    c) Overpayment recipient Numident, and Master Beneficiary Record\n       (MBR)/Supplemental Security Record (SSR).\n    d) OI-4 Report of Investigation, reviewed and signed by the FD Assistant Special\n       Agent-in-Charge (ASAC).\n    e) Supervisory File review sheet.\n    f) OI-9 ACIS input form, properly signed and completed by the FD SAC. Ensured\n       that the OI-9 agreed with the information on the OI-4.\n    g) OI-31 Case Closing Checklist reviewed and signed by the FD ASAC.\n\n    For cases involving restitution we ensured that in addition to the above documents\n    the case file included the following:\n\n    a) OI-16A Statement of Overpayment Recipient signed by the subject and the SAC.\n    b) Copy of check provided by the subject.\n    c) Check receipt from SSA personnel.\n\n4. Recalculated each specific FY 2000 measure to ascertain its mathematical\n   accuracy\n\nBased on our understanding of SSA and Performance Measures (PM) #5 through #8,\nwe obtained the FY 2000 ACIS data and performed Computer Assisted Audit\nTechniques (CAATs) using ACL to accumulate counts for four measures, and then\ncompared those results to the figures reported for GPRA. We then reconciled any\ndifferences through data analysis and subsequent discussions with SSA OIG personnel.\n\n\n\n\n                                           A-3\n\x0c                                                                         APPENDIX A\n\n5. Determined whether performance measures were meaningful and in\n   compliance with GPRA\n\nAs part of this engagement, we evaluated the appropriateness of each of the\nperformance measures with respect to GPRA compliance and SSA\xe2\x80\x99s APP. We\ndetermined whether the specific indicators and goals corresponded to the strategic goals\nidentified in SSA\xe2\x80\x99s APP, determined whether each of these indicators accurately\nmeasure performance, and determined their compliance with GPRA requirements.\n\n\n\n\n                                          A-4\n\x0c                                                            APPENDIX B\n\n                             ACRONYMS\n\n\nACIS     Allegation and Case Investigative System\nADABAS   A Database\nAMD      Allegation Management Division\nAMS      Allegation Management System\nAPP      Annual Performance Plan\nASAC     Assistant Special Agent-in-Charge\nCAATs    Computer Assisted Audit Techniques\nCIT      Center for Information Technology\nDI       Disability Insurance\nDMS      Debt Management System\nEDP      Electronic Data Processing\nFD       Field Division\nFIPS     Federal Information Processing Standards\nFISCAM   Federal Information System Controls Audit Manual\nFY       Fiscal Year\nGPRA     Government Performance and Results Act\nIT       Information Technology\nJ&C      Judgment and Commitment Order\nMATPSC   Mid-Atlantic Program Service Center\nMBR      Master Beneficiary Record\nNIH      National Institutes of Health\nOASDI    Old-Age and Survivors and Disability Insurance\nOEO      Office of Executive Operations\nOI       Office of Investigations\nOIG      Office of the Inspector General\nOMB      Office of Management and Budget\nPM       Performance Measure\nPwC      PricewaterhouseCoopers LLP\nSA       Special Agent\nSAC      Special Agent-in-Charge\nSAH      Special Agent Handbook\nSAS      Statements on Auditing Standards\nSLA      Service Level Agreement\nSSA      Social Security Administration\nSSI      Supplemental Security Income\nSSN      Social Security number\nSSR      Supplemental Security Record\n\x0c                                                                                                                                  APPENDIX C\n\n                                     PERFORMANCE MEASURE SUMMARY SHEETS\n\nName of Measure                                            Measure Type                Strategic Goal/Objective\n5) Number of investigations conducted (i.e., closed)       Workload                    Goal: To make SSA program management the best-in-\n                                                                                       business, with zero tolerance for fraud and abuse.\n                                                                                       Objective: To aggressively deter, identify and resolve\n                                                                                       fraud.\nPurpose                                                                                                            Report Frequency\nTo increase the number of investigations conducted resulting from allegations that have                            Semiannual\nsufficient information or potential risk to warrant further review or action by a criminal\ninvestigator.\nHow Computed                                               Data Source                  Data Availability          Data Quality\nInvestigations are counted as \xe2\x80\x9cconducted\xe2\x80\x9d when all         ACIS                         Adequate                   Adequate\nOIG actions have been completed, i.e., the\ninvestigator has presented the facts of the case to a\nprosecutor or has determined that further action is not\nwarranted due to lack of investigative leads.\nTarget Goal                                                Division                     Designated Staff Members\n7,600                                                      OIG                          Mike Arbuco, Amy Shemenski, Dennis Fabel,\n                                                                                        Dawn Zgorski, Oliver Webb\nEDP Controls Testing and Results\nWe performed tests of internal controls (both general and application) related to ACIS, for the following areas:\n\xc2\xb7 Access Control (including Separation of Duties);\n\xc2\xb7 Data Input;\n\xc2\xb7 Data Rejection;\n\xc2\xb7 Data Processing (including backup and recovery); and\n\xc2\xb7 Data Output.\nRefer to \xe2\x80\x9cResults of Evaluation\xe2\x80\x9d for a description of the findings.\n\x0c                                                                                                                              APPENDIX C\nCAATs Testing and Results\nWe obtained the FY 2000 ACIS data and performed CAATs using ACL to accumulate counts for this measure, and then compared those results\nto those reported for GPRA. We then reconciled any differences through data analysis and subsequent discussions with SSA OIG personnel.\n\nRefer to \xe2\x80\x9cResults of Evaluation\xe2\x80\x9d for a description of the findings.\nData and Manual Controls Testing and Results\nWe verified the completeness and accuracy of the ACIS data by judgmentally selecting a sample of 10 case files from the closed cases cabinet\nin the Philadelphia OI office and performed the following:\n\xc2\xb7  Ensured the following documents were included in the file:\na) Allegation report (i.e., SSA-8551, Fraud Referral Form, or other type of allegation report)\nb) OI-1 Case opening report, properly signed and completed by the field division SAC\nc) Overpayment recipient Numident, and MBR/SSR\nd) OI-4 Report of Investigation, reviewed and signed by the field division ASAC\ne) Supervisory File review sheet\nf) OI-9 ACIS input form, properly signed and completed by the Field Division SAC. Ensured that the OI-9 agreed with the information on the\n   OI-4.\ng) OI-31 Case closing Checklist, reviewed and signed by the field division ASAC\n\xc2\xb7    For cases involving restitution, ensured that in addition to the above documents the case file included the following:\n     d) OI-16A statement of overpayment recipient signed by the claimant and the SAC\n     e) Copy of check provided by the claimant\n     f) Check receipt from SSA personnel\n\xc2\xb7    Traced and agreed the information in the OI-9 to the information in ACIS.\n\nRefer to \xe2\x80\x9cResults of Evaluation\xe2\x80\x9d for a description of the findings.\n\x0c                                                                                                                                     APPENDIX C\n\n\nName of Measure                                            Measure Type                Strategic Goal/Objective\n6) OASDI dollar amounts reported from                      Workload                    Goal: To make SSA program management the best-in-\ninvestigative activities                                                               business, with zero tolerance for fraud and abuse.\n                                                                                       Objective: To aggressively deter, identify and resolve\n                                                                                       fraud.\nPurpose                                                                                                            Report Frequency\n\nTo report OASDI dollars from penalties, assessments, savings, recoveries and restitutions related to               Semi-Annual\ninvestigative activities.\nHow Computed                                               Data Source                  Data Availability          Data Quality\nOASDI dollars from penalties, assessments, savings         ACIS                         Adequate                   Adequate, except for the data\nrecoveries, and restitutions related to investigative                                                              integrity anomalies found as part\nactivities that are reported by OIG filed divisions and                                                            of our evaluation. Refer to\nincluded in OIG semi-annual reports.                                                                               \xe2\x80\x9cResults of Evaluation\xe2\x80\x9d for a\n                                                                                                                   description of the findings.\nTarget Goal                                                Division                     Designated Staff Members\n$ 40 Million                                               OIG                          Mike Arbuco, Amy Shemenski, Dennis Fabel,\n                                                                                        Dawn Zgorski, Oliver Webb\nEDP Controls Testing and Results\nWe performed tests of internal controls (both general and application) related to ACIS, for the following areas:\n\xc2\xb7 Access Control (including Separation of Duties);\n\xc2\xb7 Data Input;\n\xc2\xb7 Data Rejection;\n\xc2\xb7 Data Processing (including backup and recovery); and\n\xc2\xb7 Data Output.\n\nRefer to \xe2\x80\x9cResults of Evaluation\xe2\x80\x9d for a description of the findings.\nCAATs Testing and Results\nWe obtained the FY 2000 ACIS data and performed CAATs using ACL to accumulate counts for this measure, and then compared those results\nto those reported for GPRA. We then reconciled any differences through data analysis and subsequent discussions with SSA OIG personnel.\n\nRefer to \xe2\x80\x9cResults of Evaluation\xe2\x80\x9d for a description of the findings.\n\x0c                                                                                                                          APPENDIX C\nData and Manual Controls Testing and Results\nTo ensure that accuracy of the reported information we selected a judgmental sample of 45 OASDI cases from ACIS and performed the\nfollowing:\n\xc2\xb7   Verified that a completed OI-9 \xe2\x80\x9cACIS input form\xe2\x80\x9d was properly signed by the Field Division SAC\n\xc2\xb7   Verified that a completed OI-1 form was properly signed and completed\n\xc2\xb7   Verified that the OI-68 has been completed and was supported by documentation in the file\n\xc2\xb7   Trace monetary achievement documentation in case file to amount of monetary achievement reported in ACIS\n\nRefer to \xe2\x80\x9cResults of Evaluation\xe2\x80\x9d for a description of the findings.\n\x0c                                                                                                                                     APPENDIX C\n\n\n\nName of Measure                                            Measure Type                Strategic Goal/Objective\n7) SSI dollar amounts reported from                        Workload                    Goal: To make SSA program management the best-in-\ninvestigative activities                                                               business, with zero tolerance for fraud and abuse.\n                                                                                       Objective: To aggressively deter, identify and resolve\n                                                                                       fraud.\nPurpose                                                                                                            Report Frequency\nTo report SSI dollars from penalties, assessments, savings, recoveries and restitutions related to                 Semi-annual\ninvestigative activities.\nHow Computed                                               Data Source                  Data Availability          Data Quality\nSSI dollars from penalties, assessments, savings           ACIS                         Adequate                   Adequate, except for the data\nrecoveries, and restitutions related to investigative                                                              integrity anomalies found as part\nactivities that are reported by OIG filed divisions and                                                            of our evaluation. Refer to\nincluded in OIG semi-annual reports.                                                                               \xe2\x80\x9cResults of Evaluation\xe2\x80\x9d for a\n                                                                                                                   description of the findings.\nTarget Goal                                                Division                     Designated Staff Members\n$ 80 Million                                               OIG                          Mike Arbuco, Amy Shemenski, Dennis Fabel, Dawn\n                                                                                        Zgorski, Oliver Webb\nEDP Controls Testing and Results\nWe performed tests of internal controls (both general and application) related to ACIS, for the following areas:\n\xc2\xb7 Access Control (including Separation of Duties);\n\xc2\xb7 Data Input;\n\xc2\xb7 Data Rejection;\n\xc2\xb7 Data Processing (including backup and recovery); and\n\xc2\xb7 Data Output.\nRefer to \xe2\x80\x9cResults of Evaluation\xe2\x80\x9d for a description of the findings.\nCAATs Testing and Results\nWe obtained the FY 2000 ACIS data and performed CAATs using ACL to accumulate counts for this measure, and then compared those results\nto those reported for GPRA. We then reconciled any differences through data analysis and subsequent discussions with SSA OIG personnel.\n\nRefer to \xe2\x80\x9cResults of Evaluation\xe2\x80\x9d for a description of the findings.\n\x0c                                                                                                                               APPENDIX C\nData and Manual Controls Testing and Results\nTo ensure that accuracy of the reported information we selected a judgmental sample of 45 SSI cases from ACIS and performed the following:\n\xc2\xb7   Verified that a completed OI-9 \xe2\x80\x9cACIS input form\xe2\x80\x9d was properly signed by the Field Division Special Agent In Charge (SAC)\n\xc2\xb7   Verified that a completed OI-1 form was properly signed and completed\n\xc2\xb7   Verified that the OI-68 has been completed and was supported by documentation in the file\n\xc2\xb7   Traced monetary achievement documentation in case file to amount of monetary achievement reported in ACIS\n\nRefer to \xe2\x80\x9cResults of Evaluation\xe2\x80\x9d for a description of the findings.\n\x0c                                                                                                                                  APPENDIX C\n\n\nName of Measure                                             Measure Type                Strategic Goal/Objective\n8) Number of Criminal Convictions                           Workload                    Goal: To make SSA program management the best-in-\n                                                                                        business, with zero tolerance for fraud and abuse.\n                                                                                        Objective: To aggressively deter, identify and resolve\n                                                                                        fraud.\nPurpose                                                                                                            Report Frequency\nTo report the number of criminal convictions as related to SSA/OIG investigative activities.                       Semi-Annual\n\nHow Computed                                                Data Source                  Data Availability         Data Quality\nNumber of criminal convictions as related to SSA/OIG        ACIS                         Adequate                  Adequate\ninvestigative activities.\nTarget Goal                                                 Division                     Designated Staff Members\n1,800                                                       OIG                          Mike Arbuco, Amy Shemenski, Dennis Fabel,\n                                                                                         Dawn Zgorski, Oliver Webb\nEDP Controls Testing and Results\nWe performed tests of internal controls (both general and application) related to ACIS, for the following areas:\n\xc2\xb7 Access Control (including Separation of Duties);\n\xc2\xb7 Data Input;\n\xc2\xb7 Data Rejection;\n\xc2\xb7 Data Processing (including backup and recovery); and\n\xc2\xb7 Data Output.\n\nRefer to \xe2\x80\x9cResults of Evaluation\xe2\x80\x9d for a description of the findings\nCAATs Testing and Results\nWe obtained the FY 2000 ACIS data and performed CAATs using ACL to accumulate counts for this measure, and then compared those results to\nthose reported for GPRA. We then reconciled any differences through data analysis and subsequent discussions with SSA OIG personnel.\n\nRefer to \xe2\x80\x9cResults of Evaluation\xe2\x80\x9d for a description of the findings\n\x0c                                                                                                                               APPENDIX C\nData and Manual Controls Testing and Results\nTo ensure that accuracy of the reported information we selected a judgmental sample of 20 criminal convictions from ACIS and performed the\nfollowing:\n\xc2\xb7   Verified that a completed OI-9 \xe2\x80\x9cACIS input form\xe2\x80\x9d was properly signed by the Field Division Special Agent In Charge (SAC)\n\xc2\xb7   Verified that a completed OI-1 form was properly signed and completed\n\xc2\xb7   Verified that the OI-68 has been completed and was supported by documentation in the file\n\xc2\xb7   Traced monetary achievement documentation in case file to amount of monetary achievement reported in ACIS\n\nRefer to \xe2\x80\x9cResults of Evaluation\xe2\x80\x9d for a description of the findings\n\x0c                                   APPENDIX D\nPERFORMANCE MEASURE PROCESS MAPS\n\x0c                                                                                                        APPENDIX D\n\n                                       Allegation Intake by\n                                       Program Specialist\n\n\n\n\n                                    Research ACIS database on\n                                     subject name and SSN to\n                                      ensure not a duplicate\n                                             allegation.\n\n\n\n\n                                                              Yes        Original allegation\n                                                                         updated with any\n                                           Duplicate?\n                                                                             additional\n                                                                            information\n\n                                                     No\n\nField divisions and hotline are\n assigned different allegation\nnumbers to easily identify the          Computer assigns\n  location where allegation             allegation number.\n   informatiion was taken.\n\n\n\n\n                                                               Yes             Research SSA\n                                          OASDI or SSI                        database to verify\n                                           allegation?                        whether allegation\n                                                                                could be true\n\n                                                     No\n\n\n\n                                        Supervisor reviews\n\n\n\n\n                                                                    No\n                                            Possible                                           Archived in\n                                            violation?                                          database\n\n\n\n                                                     Yes\n\n\n                                               To\n                                              Page\n                                               2\n\n\n\n\n                                  Investigation Process cont.\n\n\n\n                                                  E-3\n\x0c                                                                                                                    APPENDIX D\n                                                          From\n                                                          Page\n                                                            1\n\n\n\n\n                      Special Agent        No\n                                                    OASDI or SSI\n                       In Charge\n                                                     allegation?\n                         Review\n\n\nAllegation                                                               Yes\n closed.       No\nArchived                Possible                                          No                                        Allegation\n    in                  violation?                    OASDI or\n                                                                                                                      closed.\ndatabase.                                               SSI DI                  ASAC Review\n                                                                                                                    Archived in\n                    Yes                               violation?\n                                                                                                                    database.\n                                                                                                    No\n                                                                               Yes\n                    Allegation sent to\n                      Field Division\n                                                                                  Possible               Maybe\n                                                    Special Agent                 violation?\n                                                      Review\n                           To                                                                                    Allegation referred\n                          Page                                                 Yes                                   to SSA for\n                            3                                                                                       development.\n                                                                                                                 Allegation remains\n                                                                                                                     open until\n                                          Yes                                  Allegation sent to                response received\n                                                      Possible                   Field Division                      from SSA.\n                     ASAC Review\n                                                      violation?\n\n\n\n                                                                                      To\nAllegation                                                                           Page\n closed.      No                                                                                                  Response from\n                        Possible                                                       3\nArchived                                                                                                              SSA\n                        violation?\n    in\ndatabase.\n\n                                 Yes\n\n                                                     No                                  AMD Hotline\n                    Allegation sent to                                                                    No\n                                                                                            closes\n                      Field Division                                                                                 Possible\n                                                                                          allegation.\n                                                                                                                     violation?\n                                                     Allegation                          Archived in\n                                                       closed.                            database.\n                                                                                                                  Yes\n                                                     Archived in\n                           To                        database.\n                          Page                                                                                   Allegation sent to\n                            3                                                                                      Field Division\n\n\n\n\n                                                                                                                         To\n  Note: Most of the time SSA does not send back a response                                                              Page\n  indicating their assessment of the allegation forwarded by the                                                          3\n  hotline for review. However, SSA completes a 8551 form and\n  forwards the possible violation on to the appropriate Field\n  Division for investigation via the ACIS system. A new allegation\n  number is issued.\n\n\n\n\n                                         Investigation Process cont.\n\n\n\n                                                                   E-4\n\x0c                                                                                                                  APPENDIX D\n                                                    From\n                                                    Page\n                                                      2\n\n\n\n\n                                       Email sent by Hotline Mgmt to\n                                     inform OI Field Division (OIFD) of\n                                            pending allegations.\n\n                                                                                      Data Corrections: After the end of the\n                                                                                      month, no corrections can be made by the\n                                                  Allegation                          agents to the case file data contained on\n                                              reviewed by Field                       ACIS. The only way data can be corrected\n                                                   Division                           is by Dawn Zgorski , Michael Arbuco, and\n                                                     SAC                              some of the OIFD SACs.\n\n\n\n\n      Allegation          No                  Does allegation\n        closed.\n                                              meet materiality\n      Archived in\n                                                threshold?\n      database.\n\n                                             Yes\n\n\n\n                                             Case assigned to                                       Yes\n                                                                                Duplicate                       Original case\n                                             agent. Database\n                                                                                 case?                            updated.\n                                             search performed .\n\n\n\n\n                                                Form OI-1 is              No\n                                               completed and\n                                             signed by the SAC\n                                                to open case\nCase numbers like allegation numbers                                                                              Allegation\nare unique to each Field Division. No two                                                                         closed and\nfield divisions will have the same case                                                                           archived in\nnumbers.                                                                                                          database.\n                                              Allegation info is\n                                               transferred to\n                                                   ACIS.\n\n\n\n                                                                                  Field Division performs search of database to\n                                                                                ensure not duplicate case. It is possibe to have 2\nNote: The external case file must            Computer assigns                      allegations that would equate to 1 case or 2\ncontain a signed OI-1& OI-9 as well as        a unique case                    allegations for the same subject that could result in\nsupporting documentation for monetary            number.                          2 different cases based upon the nature of the\nachievements reported in ACIS.                                                                         case.\n\n\n\n                                                    Agent\n                                                   prepares\n                                                      an\n                                                   external\n                                                      file\n\n\n\n\n                                                     To\n                                                    Page\n                                                      4\n\n\n\n\n                                            Investigation Process cont.\n\n\n                                                                   E-6\n\x0c                                                                                           APPENDIX D\n                                                                 From\n                                                                 Page\n                                                                   3\n\n\n\n\n                                                             Investigative\n                                                             activities are\n                                                          documented in the\n                                                          external case files\n                                                           by investigative\n                                                                 agent\n\n\n\n\n                                                          External case files\n                                                            are periodically\n                                                            reviewed by the\n                                                             SAC using the\n                                                          review by interview\n                                                                process\n\n\n\n\n                                                             SAC agrees               No\nNote: Both form OI-1 & OI-9 are required to be\nin the external case files appropriately signed by          case should be\nthe SAC. Forms OI-1 & OI-9 can be located                      closed?\non-line, however, they will not be signed and do\nnot support proper authorization for opening\nand closing cases.\n                                                                        Yes\n\n\n\n                                                              Form OI-9 is\n                                                            completed and\n                                                          signed by the SAC\n                                                             to close case\n\n\n\n\n Documentation of monetary,\n conviction, unresolved, and/or                      Agent or Administrative Clerk\n SSN misuse type information is                      updates ACIS with monetary,\n maintained in the external case                     conviction, unresolved, and/or\n files.                                              SSN misuse type information\n\n\n\n\n                                                                Case is\n                                                            marked closed\n                                                            and archived in\n                                                             the database\n\n\n\n\n                                                        E-7\n\x0c                                                   APPENDIX D\nPayment Process\n\n\n   Payment made to Clerk\n     of the Court in the\n   Appropriate Jurisdiction\n\n\n\n\n    Payment recorded in\n    Department of Justice\n     records for reporting\n          purposes\n\n\n\n\n Payment mailed to SSA Mid-\n  Atlantic Program Service\n  Center in Philadelphia, PA\n\n\n\n\n                              Yes     Apply payment to SSN the\n                                    fraud was committed against\n       SSA Payment?\n                                       in the Debt Management\n                                                System\n\n                   No\n\n      Payment returned\n      to Department of\n           Justice\n\n\n\n\n          E-8\n\x0c                                                                                                                                                                                                     APPENDIX E\n\n                                                                        PERFORMANCE MEASURE TAXONOMY\n\n\n\n                                                                                        Categories of Performance Measures:\n\nEfforts are the amount of financial                                                                                                                                                            These indicators measure the\nand nonfinancial resources (in                                                                                                                                                                 resources used or cost (for\nterms of money, material, and so                                                                       2) Measures of                                            3) Measures that relate       example, in dollars, employee-\nforth) that are put into a program       1) Measures of efforts                                                                                                                                hours, or equipment used) per\nor process. Measures of service\n                                                                                                      accomplishments                                          efforts to accomplishments      unit of output. They provide\nefforts also include ratios that                                                                                                                                                               information about the production\ncompare financial and                                                                                                                                                                          of an output at a given level of\nnonfinancial resources with other                                             Accomplishment measures report                                                                                   resource use and demonstrate an\nmeasures that may indicate                                                    what was provided and achieved                                                                                   entity\'s relative efficiency when\npotential demand for services,                                                with the resources used.                                                                                         compared with previous results,\nsuch as general population,                                                                                                                                                                    internally established goals and\nservice population, or lane-miles                                                                                                                                                              objectives, generally accepted\n                                                                                              Outputs measure the quantity of services provided;\nof road.                                                                                                                                                                                       norms or standards, or results\n                                                                                              outcomes measure the results of providing those\n                                                                                                                                                                                               achieved by similar jurisdictions.\n                                                                                              outputs.\n\n\n                                                                                                                                                                                        Cost\xe2\x80\x93outcome measures that relate\n Financial resources that are put into a\n                                                                                                                                                                                             efforts to the outcomes\n          program or process\n                                                                                                                                                                                              or results of services\n                                                                                   Output measures\n\n\n\n\n  Non-financial resources that are put                                                                                                        Outcome measures                         Efficiency measures That relate efforts\n            into a program                                                                                                                                                                           to outputs\n              or process                                                                                                                                                                            of services\n\n\n                                                                                                                                         These indicators measure\n                                                                                                                                         accomplishments or results that occur (at\n                                                Quantity of a service provided                                                           least partially) because of services\n                                                                                                       Quantity of a service\n                                                 that meets a certain quality                                                            provided. Results also include measures\n                                                                                                            provided\n                                                        requirements                                                                     of public perceptions of outcomes. For\n                                                                                                                                         example, measures may include the\n                                                                                                                                         percentage of students achieving a\n                                                                                                                                         specified skill-level gain in reading; the\n                                      These indicators measure the physical quantity of          These indicators measure the\n                                                                                                                                         percentage of the population being served\n                                      a service provided that meets a test of quality. For       physical quantity of a service\n                                                                                                                                         by public transportation; the percentage of\n                                      example, measures may include the percentage of            provided. For example, measures\n                                                                                                                                         lane-miles of road in excellent, good, or\n                                      students graduated or promoted who have met a              may include the number of\n                                                                                                                                         fair condition; and the clearance rate for\n                                      minimum prespecified standard of achievement;              students promoted or graduated;\n                                                                                                                                         serious crimes or the percentage of\n                                      the percentage of buses meeting a prespecified             the number of passenger miles\n                                                                                                                                         residents rating their neighborhood as\n                                      on-time standard of achievement; the percentage            provided by public transit; the\n                                                                                                                                         safe or very safe.\n                                      of lane-miles of road repaired to a certain minimum        number of lane-miles of road\n                                      satisfactory condition; and the percentage of              repaired; and the number of crimes                        Adapted from GPRA, GASB Concept No. 2, and the\n                                      criminal investigations performed that result in the       investigated.                                           "Performance Measurement for Government" web site at\n                                      identification of prime suspect.                                                                                                    Rutgers University\n                                                                                                                                                         www.rutgers.edu/Accounting/raw/seagov/pmg/index.html\n\x0c                           DISTRIBUTION SCHEDULE\n\n\n\n                                                                            No. of\n                                                                            Copies\n\nCommissioner of Social Security                                               1\nManagement Analysis and Audit Program Support Staff, OFAM                    10\nInspector General                                                             1\nAssistant Inspector General for Investigations                                1\nAssistant Inspector General for Executive Operations                          3\nAssistant Inspector General for Audit                                         1\nDeputy Assistant Inspector General for Audit                                  1\n Director, Systems Audit Division                                             1\n Director, Financial Management and Performance Monitoring Audit Division     1\n Director, Operational Audit Division                                         1\n Director, Disability Program Audit Division                                  1\n Director, Program Benefits Audit Division                                    1\n Director, General Management Audit Division                                  1\nIssue Area Team Leaders                                                      25\nIncome Maintenance Branch, Office of Management and Budget                    1\nChairman, Committee on Ways and Means                                         1\nRanking Minority Member, Committee on Ways and Means                          1\nChief of Staff, Committee on Ways and Means                                   1\nChairman, Subcommittee on Social Security                                     2\nRanking Minority Member, Subcommittee on Social Security                      1\nMajority Staff Director, Subcommittee on Social Security                      2\nMinority Staff Director, Subcommittee on Social Security                      2\nChairman, Subcommittee on Human Resources                                     1\nRanking Minority Member, Subcommittee on Human Resources                      1\nChairman, Committee on Budget, House of Representatives                       1\nRanking Minority Member, Committee on Budget, House of Representatives        1\nChairman, Committee on Government Reform and Oversight                        1\nRanking Minority Member, Committee on Government Reform and Oversight         1\nChairman, Committee on Governmental Affairs                                   1\nRanking Minority Member, Committee on Governmental Affairs                    1\n\x0cChairman, Committee on Appropriations, House of Representatives              1\nRanking Minority Member, Committee on Appropriations,\n House of Representatives                                                    1\nChairman, Subcommittee on Labor, Health and Human Services, Education\n and Related Agencies, Committee on Appropriations,\n House of Representatives                                                    1\nRanking Minority Member, Subcommittee on Labor, Health and Human\n Services, Education and Related Agencies, Committee on Appropriations,\n House of Representatives                                                    1\nChairman, Committee on Appropriations, U.S. Senate                           1\nRanking Minority Member, Committee on Appropriations, U.S. Senate            1\nChairman, Subcommittee on Labor, Health and Human Services, Education\n and Related Agencies, Committee on Appropriations, U.S. Senate              1\nRanking Minority Member, Subcommittee on Labor, Health and Human\n Services, Education and Related Agencies, Committee on Appropriations,\n U.S. Senate                                                                 1\nChairman, Committee on Finance                                               1\nRanking Minority Member, Committee on Finance                                1\nChairman, Subcommittee on Social Security and Family Policy                  1\nRanking Minority Member, Subcommittee on Social Security and Family Policy   1\nChairman, Senate Special Committee on Aging                                  1\nRanking Minority Member, Senate Special Committee on Aging                   1\nVice Chairman, Subcommittee on Government Management Information\n  and Technology                                                             1\nPresident, National Council of Social Security Management Associations,\n  Incorporated                                                                1\nTreasurer, National Council of Social Security Management Associations,\n  Incorporated                                                                1\nSocial Security Advisory Board                                                1\nAFGE General Committee                                                        9\nPresident, Federal Managers Association                                      1\nRegional Public Affairs Officer                                              1\n\n\nTotal                                                                        97\n\x0c                   Overview of the Office of the Inspector General\n\n\n                                         Office of Audit\nThe Office of Audit (OA) conducts comprehensive financial and performance audits of the\nSocial Security Administration\'s (SSA) programs and makes recommendations to ensurethat\nprogram objectives are achieved effectively and efficiently. Financial audits, required by the\nChief Financial Officers Act of 1990, assesswhether SSA\' s financial statementsfairly present\nthe Agency\'s financial position, results of operations, and cash flow. Performance audits review\nthe economy, efficiency, and effectiveness of SSA\' s programs. OA also conducts short-term\nmanagementand program evaluations focused on issues of concern to SSA, Congress, and the\ngeneral public. Evaluations often focus on identifying and recommending ways to prevent and\nminimize program fraud and inefficiency.\n\n                               Office of Executive Operations\nThe Office of Executive Operations (OEO) supports the Office of the Inspector General (OIG) by\nproviding information resource management; systemssecurity; and the coordination of budget,\nprocurement, telecommunications, facilities and equipment, and human resources. In addition,\nthis office is the focal point for the OIG\'s strategic planning function and the development and\nimplementation of performance measuresrequired by the Government Performance and Results\nAct. OEO is also responsible for performing internal reviews to ensure that OIG offices\nnationwide hold themselves to the samerigorous standardsthat we expect from the Agency, as\nwell as conducting employee investigations within OIG. Finally, OEO administers OIG\'s public\naffairs, media, and interagency activities and also communicates OIG\'s planned and current\nactivities and their results to the Commissioner and Congress.\n\n                                    Office of Investigations\nThe Office of Investigations (01) conducts and coordinates investigative activity related to fraud.\nwaste, abuse,and mismanagement of SSA programs and operations. This includes wrongdoing\nby applicants, beneficiaries, contractors, physicians, interpreters, representative payees,third\nparties, and by SSA employees in the performance of their duties. Or also conducts joint\ninvestigations with other Federal, State, and local law enforcement agencies.\n\n                              Counsel to the Inspector General\nThe Counsel to the Inspector General provides legal advice and counsel to the Inspector General\non various matters, including: l) statutes,regulations, legislation, and policy directives\ngoverning the administration of SSA \' s programs; 2) investigative procedures and techniques; and\n3) legal implications and conclusions to be drawn from audit and investigative material produced\nby the DIG. The Counsel\'s office also administers the civil monetary penalty program.\n\x0c'